Project

General

Profile

Actions

Feature #962

closed

Can I log the mac address of the source?

Added by 冠宇 陳 about 11 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Knowing the mac address can help us about knowing the attacker. So can suricata log the mac address? Like the -e option in snort? Thanks for help.


Related issues 2 (1 open1 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Bug #1711: eve: Ethernet Header Missing From Packet FieldClosedActions
Actions #1

Updated by Victor Julien about 11 years ago

We don't have a similar option. How are the mac addresses logged with -e in Snort?

Actions #2

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions #3

Updated by Song Liu almost 11 years ago

In NFQ mode, we don't have MAC address, because it is layer 3.

Actions #4

Updated by Andreas Herz almost 9 years ago

That's a feature request. Did anyone already looked into that? I did just test it with snort in sniffer mode (-vCd -i $DEVICE -e) which we don't have exactly, but could be useful in normal IDS mode as well.

Actions #5

Updated by Andreas Herz almost 9 years ago

  • Tracker changed from Support to Feature
  • Assignee set to OISF Dev
Actions #6

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Eric Leblond
  • Target version changed from TBD to 70
Actions #7

Updated by Victor Julien almost 7 years ago

  • Related to Task #2309: SuriCon 2017 brainstorm added
Actions #8

Updated by Victor Julien over 6 years ago

At the team meeting in Amsterdam 2018 we agreed on the following:

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

Actions #9

Updated by Raymond Hansen about 6 years ago

  • Assignee changed from Eric Leblond to Sascha Steinbiss
Actions #10

Updated by Victor Julien over 5 years ago

  • Related to Bug #1711: eve: Ethernet Header Missing From Packet Field added
Actions #11

Updated by Sascha Steinbiss over 4 years ago

Just taking a look at this atm.

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?

Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?

Thanks!

Actions #12

Updated by Sascha Steinbiss over 4 years ago

Sascha Steinbiss wrote in #note-11:

Just taking a look at this atm.

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?

Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?

I think I've at least found a starting point: https://github.com/satta/suricata/commit/ac09ed3d3b85c76c0bb38795efcb0ab11466f67b

Actions #13

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 6.0.0beta1
Actions

Also available in: Atom PDF